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Organizations in this era can't be separated from information technology, 
especially in communication and information sharing. The existence of 
information technology, especially computer networks, greatly facilitates 
agencies in terms of communication. Organizations that have used computer 
networks generally don’t have tools to handle security and bandwidth 


management issues in large numbers, resulting in wasteful use of bandwidth 
for unproductive purposes, such as accessing video streaming. The fact is 
Keywords: professional tools to overcome the problem of security and bandwidth 
: management issues are already in the market, but have hundreds of millions of 
Bandwidth management ; : ; : i . 
priced. The high price of professional devices gave an opportunity to develop 
Integrated a bandwidth management system based on the integration of the remote 
Low cost authentication dial in user service (RADIUS) server and Mikrotik 
Mikrotik RouterBoard RouterBoard, at a lower cost. RADIUS server was chosen as a service for 
RADIUS Server network security, because it supports the legal authentication for users via 
AAA protocol. The RADIUS server can be integrated with MySQL database, 
it can be developed SSO systems. Bandwidth management can be done with 
Mikrotik feature, but has the disadvantages of scalable storage, that problem 
can overcome by integrating Mikrotik and RADIUS server, then defining time 
doing data packet quota for the client and its implementation can help with 
hypertext preprocessor (PHP) scripts. 
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1. INTRODUCTION 

Internet network in the current era is one of the needs of society, because the existence of the internet 
greatly facilitates community activities, especially in communicating, whether it's communication between 
individuals, or communication between organizations. The number of internet users in Indonesia, in 2017 based 
on data from Indonesia Internet Association Develops Platform (APJII) there were 143 million people 
consisting of individual users or users in organizations with details of the Java region having an amount of 
internet users as much as 57.70% of the total Indonesian internet users, Sumatra region as much as 19.09%, 
Kalimantan as much as 7.97% , Sulawesi with 6.73%, Bali-Nusra with 5.63% and Maluku-Papua with 
2.49% [1]. Other data from APJII is as much as 44.16% of Indonesian internet users use smartphone devices 
to access networks with wireless technology. The well-known wireless network in the community caused many 
vendors to compete to develop innovations and technologies based on wireless networks, such as hotspots as 
public areas that provide wireless networks which are usually found in internet parks, universities, companies 
or organizations [2]. 
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Information technology based organizations have used hotspots to facilitate process of communication 
and information retrieval, with the aim of smoothing the business of these organization. The hotspot technology 
used is generally supported by the application of the security features of wired equivalent privacy (WEP) 
and wi-fi protected access (WPA) but wired equivalent privacy (WEP) and wi-fi protected access (WPA) in 
the current era is very easy to tap and less effective in it’s configuration [3]. Organizational needs the hotspot 
network will affect the amount of bandwidth owned by the company, so it’s necessary to optimize the use 
of bandwidth by each hotspot client, because there are still some less productive client activities (such as 
accessing video-based entertainment streaming), which can later cause bandwidth waste of the organization 
(company) [4], [5]. 

The application of databases in organizations based on information technology has been carried out, 
the database is used for staff or client data storage and the data is used for the development of single-sign-on 
(SSO) systems (Single sign on, specifically handling client sessions), but has not integrated with bandwidth 
management of the hotspot client, even though bandwidth management has an important role in terms of the 
convenience of hotspot users. The handling of security and bandwidth management from an organization's 
hotspot can actually be completed with a professional computer network device, but the device has a price of 
a hundred million, so it isn’t suitable for newly built organizations [6]. 

The application of the database in the organization provides an opportunity for the development of 
network security systems and low-cost client bandwidth management by integrating remote authentication dial 
in user service (RADIUS) server with Mikrotik RouterBoard. RADIUS server can be used as a network security 
because authenticating network users using the authentication, authorization, accounting (AAA) protocol, and 
being able to communicate with the database, so that client accounts that have been previously stored and used 
on the SSO system can also be used to access services hotspot. Bandwidth management for clients can be done 
based on accounting data stored in RADIUS server databases, so that the bandwidth management process can 
be more dynamic. One method for managing user bandwidth is by defining time quotas and data packages 
from clients and in their implementation can be helped by making hypertext preprocessor (PHP) scripts. 

The development of a low-cost bandwidth management system was designed in the form of a 
flowchart and a system overview diagram. Implementation of the system design is done using the FreeRADIUS 
server as a RADIUS server application, Mikrotik RouterBoard as a hotspot server and network access server 
(NAS), MySQL as a database management system (DBMS), and PHP scripts for client bandwidth management 
and the creation of a website-based hotspot management website with the Laravel framework. Testing of 
bandwidth management systems is done through two scenarios, namely scripts testing and bandwidth 
management testing using FreeRADIUS server modules. 

The purpose of developing a low-cost bandwidth management system based on RADIUS server 
integration is to develop an alternative solution in designing and building a service to perform bandwidth 
management for a company or organization, applying the SSO model in services to simplify user management 
and implementing a capable bandwidth management model running dynamically and continuously based on 
MySQL database and PHP programming language. The expected benefits of developing a low-cost bandwidth 
management system are for companies or organizations that are building a hotspot network on the basis of 
client account authentication, has a fairly secure client authentication method based on the AAA protocol 


2. RESEARCH METHOD 
2.1. Related work 

Professional tools to overcome the problem of security and network bandwidth management in 
organizations have been widely marketed, but have hundreds of millions cost [7], [8], so it cannot be reached 
by newly built or developing organizations. The RADIUS server implementation on the wireless network is 
implemented to implement the client authentication protocol through three processes namely AAA 
(authentication, authorization, accounting to determine client access rights to the network) RADIUS server can 
also be integrated with SSO and LDAP as a legacy authentication protocol solution in simulating the provision 
IP address automatically to the client (which can be stored in a database) [9]-[11]. 

Bandwidth management can be done by limiting time and packet quota by integrating RADIUS server 
with captive portal chilispot, limiting download speed to the client has reached the maximum limit that is 
permitted to use Mikrotik, Mikrotik's simple queue feature or managing internet client access rights and 
activities using Mikrotik and wireleless radio [12]-[15]. Website development for network management, 
especially hotspots is done using the PHP programming language, MySQL server, RADIUS server to handle 
client authentication and RouterOS API as interfaces for communicating with Mikrotik RouterBoard through 
the PHP programming language [16]-[18]. 
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2.2. Literature 
2.2.1. RADIUS server 

The RADIUS server is an access control mechanism that checks and authenticates clients using the 
challenge (response) method. RADIUS was developed in the mid 1990s by Livingstone enterprise and use port 
1812. The security mechanism of the RADIUS server is to handle authentication and authorization connections 
made by the client, starting from data delivery client username and password to the RADIUS server, and then 
make the matching process, the client will be allowed access to the network, when the matching process is 
appropriate [19]. The protocol of the RADIUS server is called AAA which consists of Authentication (handling 
client authentication problems), Authorization (handling the process of checking the authority obtained by the 
client) and accounting (recording all client activities). 


2.2.2. FreeRADIUS server application 

FreeRADIUS server is a RADIUS server application developed by Miquel van Smoorenburg and 
Alan Dekok in June 1999. The alpha version of FreeRADIUS was released in August 1999 and subsequently 
Version 0.1 was released in May 2001, then the version of FreeRADIUS continued to develop, until the latest 
version was Version 3.0. FreeRADIUS runs on the Linux and Unix operating system platforms and is open 
source [20]. FreeRADIUS has three main features, namely ISP authentication and accounting (performing 
authentication and calculating the use of services by clients), enterprise networks (reliable for network 
management with wired or wireless technology), educational institutions (generally used on agency-owned 
networks). FreeRADIUS server also has modules that can be grouped into three types, namely authentication, 
data store and policy. Authentication module that is usually used is rlm_pap (for matching requests data in the 
form of plain text with encrypted data that has been stored in a database, encryption methods supported include 
crypt hashes, MDS hashes). Data store modules that are commonly used is rlm_sql_mysq] (as a liaison driver 
between FreeRADIUS and MySQL server). Policy modules that are commonly used is rlm_counter (calculates 
the usage of clients connected to the hotspot network). 


2.2.3. Router 

Router is a computer networking device that sends data packets to their destination through a process 
called routing. The routing process occurs at layer 3 OSI, so the router has the ability to connect to different 
local area networks (LAN). The router has a difference with network devices that work at layer 1 OSI, which 
layer | device only has a function as a connector [21]. Routers work by looking at the origin and destination 
addresses of data packets that pass through it and the router can also determine the best route that data packets 
will pass, so that they arrive quickly at their destination. 

Router devices along with the development of science and technology have undergone many 
developments both in terms of platforms and infrastructure. Software defined routres (SDRs) are an example 
of the development of software-based router devices. The hallmark of this type of router is the use of a 
programming language in the routing process, so that the programming language allows to embed artificial 
intelligence and can save in terms of network development costs [22]. 


2.2.4. Mikrotik 

Mikrotik is a small company headquartered in Latvia. The initiators of the formation of the Mikrotik 
are John Trully and Arnis Riekstins. The beginning of the establishment of Mikrotik was around 1995. In 1996 
John and Arnis began to declare the Mikrotik's mission of routing the entire world. The beginning of the 
mission relations was with the development of aeronet wireless-LAN (WLAN) technology with a speed of 2 
Mbps in Moldova. Mikrotik in general is divided into two types, namely Mikrotik RouterOS and Mikrotik 
Router Board [23]. Mikrotik has several features that are reliable in terms of network management, including 
DHCP (giving IP addresses automatically), firewalls (securing local networks), NAT (translating local IP into 
one public IP), hotspots (hotspot servers), and routing. Mikrotik also has a license level that affects the ability 
level of Mikrotik with the highest version is level 6 as the level with the full version. 


2.2.5. Wireless network 

Wireless networks can be said to be the development of LAN networks on the mobility side. Wireless 
networks have higher mobility, because users are connected to the network don’t need to use cable, but rather 
use radio frequency (RF) [24]. Wireless networks (WLANs) have outreach areas within the local area, which 
can be from classrooms to the entire campus or from offices to other offices and different buildings. Devices 
commonly used to access WLAN networks are PCs, laptops, PDAs, cellular phones, and other devices that 
have a WLAN scanner feature. The advantages of wireless networks are mobility, a fast, flexible installation 
process and low maintenance costs. 
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2.2.6. MySQL database 

The database is used as a means to store data that is flexible and fast to access, both in terms of adding 
new data, changing existing data, or deleting data. There are many database servers available, one of the most 
popular database servers is MySQL. MySQL is a database that can run on various operating system platforms, 
such as Linux, Windows, and other. MySQL is the choice of many individuals, because it has advantages in 
terms of syntax that is easy to understand and has support for common programming languages, such as Java, 
PHP, Python [25]. 


2.2.7. PHP 

PHP a language (script) that runs on the server side (server-side scripting). PHP has support for several 
database servers, including MySQL, Informix, Oracle, Sybase, Solid, PostgreSQL, Generic ODBC. PHP files 
can have the extension .php, .php3 or .phtml. The advantage of PHP as a scripting language is that it can run 
on a variety of operating system platforms (Windows, Linux, MacOS), compatible with almost all servers, 
open source (free to download from the official PHP website), easy to learn and able to run efficiently on the 
server side [26]. PHP programming is generally made by being designed based on functions (statement blocks 
that manipulate data). Programming in this way is called procedure-oriented programming. PHP programming 
for developing web applications is generally made by applying the concept of model view controller (MVC). 


2.3. Research method 

The development of a low-cost bandwidth management system begins with the analysis phase, which 
is carried out through observation and search of previous research related to security and bandwidth 
management on the network, and is followed by an interview process with teachers and administrators from 
one of the state universities in Bali. The results of the analysis phase are the bandwidth management of an 
organization is generally done by implementing Mikrotik on the network owned by the organization, where 
Mikrotik is the central regulator of the client bandwidth (with a simple queue and queue tree method) and 
Mikrotik as a data storage center for all hotspot client accounts (there are possibility of Mikrotik experiencing 
overload storage, because generally playing storage from Mikrotik is still in the megabyte range) [4], [5] as 
well as the formulation of the concept of bandwidth management based on time quota and data packages and 
security using RADIUS server AAA protocol. Based on the results of the analysis phase a comparison can be 
made about the features of bandwidth management with the simple queue method and the queue tree with 
bandwidth management features developed in this study. Simple queue is a bandwidth management feature 
that is simple and very easy to use, because bandwidth sharing can be done for upload and download activities 
from each IP address, client and queue tree is a bandwidth management feature that is flexible and quite 
complex, because it is able to manage bandwidth based on packets sent by the client (allows for bandwidth 
management of activities such as browsing or streaming to all network clients) [27]. 

System workflow design in the form of the flowchart and database design is the stage after analysis. 
The implementation of the system design, begins with the RADIUS server configuration so that it can be 
connected to the database, hotspot server configuration on Mikrotik, integration between the RADIUS server 
and Mikrotik and the creation of PHP scripts for bandwidth management and the creation of a hotspot 
management website using the Laravel framework. The last step is testing, which is done through two 
scenarios, namely bandwidth management using PHP scripts and bandwidth management using the SQL 
counter modules belonging to the FreeRADIUS server, and followed by testing the hotspot management 
website. 

Figure | is an overview of the bandwidth management system at a cost-effective price. The system 
workflow begins with sending data request from client (in the form of username and password) to the RADIUS 
server via Mikrotik RouterBoard. Request data received by RADIUS server will enter the matching process 
with the client data stored in the database, matching also done to the time quota and data package that has been 
used by the client. The client can use the network when the data request according to the client data stored in 
the database as well as the usage of time quota and data package has not reached the maximum limit. Table 1 
explains the addressing used by each device used in system development. The workflow of the system can be 
differentiated into two, namely a client authentication mechanism, checking the usage quota and reset client's 
quota. The workflow of a client authentication mechanism can be seen in Figure 2. 

User authentication begins with the connection request from the client, which then the client is asked 
to input the username and password as data for authentication, after which Mikrotik will send the request data 
to the RADIUS of the server. RADIUS Server will check username, password, and profile user in a database 
owned by RADIUS server. The client is allowed to access the internet, if the user profile is not the same as 
Disabled. The process of checking the time quota and the user data package require input-a date (with the 
format Y-m-d H:i), then the process will be followed by checking the active client account limit equal to the 
date input or check data package comparison with the maximum data package owned by each client account. 
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RADIUS of the server will send a request to Mikrotik to disconnect the username found during the checking 
process and change the profile username to Disabled. The workflow of process checking time quota and data 
package mechanism can be seen in Figure 3. 


Explanation 
——+» : Send request 


——+ : Reject request 
—— : Accept request 





Access Point Client 


Figure 1. System overview 


Table 1. Planning for device addressing 
No Device Name Interfaces IP Address Subnetmask Purpose 
1 Mikrotik RouterBoard ether-1 192.168.1.1 255.255.255.0 Internet access 
ether-2 192.168.88.1 255.255.255.0 Connect to RADIUS Server 
ether-3 192.168.100.1 255.255.255.0 Hotspot server with DHCP server and 
connectivity with AP (Access Point) 
2 RADIUS Server eno-1 192.168.88.2 255.255.255.0 | Connecto to Mikrotik RouterBoard 














Figure 2. The client authentication flowchart 
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Datetime input 
(Y-m-d H:i) 


Check client when active 
time limit = datetime or 
data usage package = 
maximum data packet 
limit 








Set user profile to 
Disabled and insert 
to reset tmp 


Figure 3. Usage quota flowchart 


Insert radacct to 
radacct backup 


Select username when 
reset time = datetime 
Input 


Set username 
profile to Active 





Figure 4. Reset quota client flowchart 


3. RESULTS AND ANALYSIS 
3.1. Mikrotik configuration 


ISSN: 1693-6930 


The first phase Mikrotik configuration is the naming of interfaces and addressing interfaces in 
accordance with the built-in addressing plan, then the configuration process continues with the gateway 
configuration, so that Mikrotik is connected to the internet. The next step in the Mikrotik configuration is the 
network address translation (NAT) configuration, so that the internet that belongs to it can be desiring to all 
the interfaces owned by Mikrotik. The last phase of Mikrotik configuration is the creation of a hotspot server. 


3.2. RADIUS server configuration 


Configuring RADIUS server is initiated by configuring IP address in accordance with the design of 
device addressing. Configure the RADIUS on the server and then proceed with the necessary package 
installation, such as FreeRADIUS, MySQL, PHP and Apache2. The next step is the configuration of the SQL 
counter RADIUS server modules. The RADIUS server configuration is then followed by enabling SQL and 


SQL counters in the authentication client RADIUS Server section. 
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3.3. Mikrotik integration with RADIUS server 

RADIUS server integration with Mikrotik begins with the addition of IP address Mikrotik in RADIUS 
server. The integration process is then followed by adding the server RADIUS IP address in Mikrotik. The 
rules table will be stored in a MySQL database so that it can be configured easily. 


3.4. Testing and result 

The testing phase of the bandwidth management system is done through two scenarios that are testing 
the bandwidth management with PHP scripts and bandwidth management testing with the SQL counter 
modules. Bandwidth management with PHP scripts requires a date parameter, so the given date is '2020-03-05 
23:37’. Data client that has an active limit until that date is a data client with username user1. The data client 
will be disconnected from the network hotspot and the profile client will be changed to disable, after the Quota 
usage script is executed. User Profile change to disable. A client with disable profile is not able to use network 
hotspot and will be displayed error message. Clients with the disable profile cannot access the hotspot again 
after the script has reset the client's quota. The client quota reset script will update the client's time quota and 
data plan, and change the client's profile to actively. Testing bandwidth management based on data packages 
with SQL counter gives not optimal results, because the client is still connected and can use hotspots when the 
data packet quota has exceeded the maximum limit. Bandwidth management based on time quota with SQL 
counter gives the results the maximum, because the client will be disconnected when the timeout from the 
session time out has reached number 0 and cannot be reconnected to the hotspot network, before the quota 
update process is carried out. 

Continuous bandwidth management testing with PHP scripts is carried out with the aim of ensuring 
that PHP scripts that have been running on the crontab service are able to carry out bandwidth management 
continuously on several client accounts. There are 20 client accounts registered for the continuous testing 
process with various time quotas and data packet quotas. The minimum time quota for the account is one day, 
the maximum time quota is 60 days. The minimum data package quota for the client account is 50 Mb, the 
maximum data package quota is 5 GB. 

Continuous testing was carried out over fourteen days, from 16 May 2020 until 29 May 2020. Analysis 
of the results of bandwidth management using PHP scripts continuously starting from 16 May 2020 to on May 
29, 2020 it was carried out with the aim of knowing the rate (percentage) of success of PHP scripts in managing 
bandwidth for hotspot clients based on time quota and data packet quota. The results of the test analysis are 
shown in Table 2. 

Website testing is done directly by the author. Website development has two levels of access, namely 
network administrator permissions and client permissions. One of the website features owned by the network 
administrator is the addition of client hotspot data. Features of the website owned by the client's permissions 
have several features, one of which is to see the usage quota time and package can be in the form of charts. 


Table 2. Analysis of result 
Percentage of Success 
Time Quota Limitation Data Packet Quota Restrictions 





Analysis Parameters 





Minimum Value Percentage of Success 100% 70.8% 
Maximum Value Percentage of Success 100% 99.58% 
Average Percentage of Success 100% 94.33% 





3.6. Product comparison 

The comparison of the bandwidth management system that is generated with similar product needs to 
be done, with the aim to know the difference from main features, type of product, and price. The first 
comparator is done with the S5000-AC-I Sangfor IAM device with the key features of bandwidth management 
and SSO-based user authentication and has the price of RP. 650.000.000 [28]. The Second product is 
TekRADIUS which supports Windows and Microsoft SQL Server at a price of $239.00 [29]. The ClearBox 
RADIUS Server is the third benchmarking product with the use of SQL scripting to control the authentication 
process and the accounting client has a price of $599.00 [30]. The fourth product is a cloud-based product with 
a time-based client limitation and data packet, which has a cost of $10 and $15 per client per month, called 
IronWifi [31]. This comparison shows that the results of this research are able to provide a relatively cheaper 
implementation solution. 


4. CONCLUSION 

Bandwidth management with cheap cost can be done through of integration between the RADIUS 
server with Mikrotik RouterBoard. The purpose of the integration between the RADIUS server and Mikrotik 
RouterBoard, in addition to developing a bandwidth management system with a cheap cost is to increase the 
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security of the hotspot network, especially in terms of legal user authentication. The use of databases as data 
storage, allows the integration of systems with SSO, either by utilizing a database belonging to RADIUS server 
or using other methods, so that the client data from the RADIUS server database can be synced to other 
databases. Testing of the bandwidth management system is done through two scenarios, namely with PHP 
scripts and SQL counters, with the main objective to test the effectiveness of the way bandwidth management, 
so that the way management is more maximal bandwidth is with PHP scripts. The bandwidth management 
Website is divided into two permissions, namely administrator permissions to need client hotspot management 
and client hotspot permitted for the purposes of checking quota usage and quota history. The development of 
this research is needed in further research, especially in terms of data security on the RADIUS server, with the 
aim of increasing the protection of client accounts. The development of the hotspot management website 
features also needs to be done, so that hotspot management activities can be carried out more quickly. 
Development is also needed in terms of testing, especially testing in more complex environments, to determine 
the overall of system performance and effectiveness. 
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